Skip to main content

Flavor Hub - Changelog

[1.11.0] - 2026-07-03 — Refund notifications + a complete money-movement trail

Refunds now keep your customers in the loop and give admins a clearer financial picture. Every refund sends the customer a confirmation email and raises an in-app notification in their portal — on every kind of refund, not just subscriptions. In the admin console, the payment audit trail now records money coming in (every confirmed payment) as well as going out (refunds), and shows how each refund was returned.

Added

  • Refund notifications — email + in-app portal alert. When a refund is processed — whether you issue it from the admin console or the customer requests it themselves — the customer now receives a clear confirmation email and a notification in their portal. Previously only subscription refunds sent an email, and nothing ever appeared in the portal.
  • Payments in the audit trail. Every completed payment (a subscription, a renewal, a site or license purchase, an upgrade, a license pack or a commitment) is now recorded in the admin audit log with its amount, type and transaction reference — so the trail shows money in as well as money out.

Fixed

  • Refund transaction references are always recorded. A refund that settles later than the same day now always stores its payment-provider transaction reference on the payment record and in the audit log.
  • Portal notifications appear instantly. The portal notification bell updates right after a self-service refund, and the notifications list refreshes on its own — no page reload needed.

Updated

  • Clearer refund details in admin. The payment drawer now shows how a refund was returned (an immediate reversal or a settled refund) alongside the charge and refund references, amount and status.

[1.10.0] - 2026-07-01 — Withdraw a bad release, sturdier payment records, and admin polish

A focused update to the licensing Hub. Admins can now pull a bad release from distribution in one click — if a newly-published version turns out to have a problem, suspend it and sites immediately stop being offered it, falling back to the previous good version until a fix ships. Behind the scenes, payment records moved onto a cleaner, more reliable structure, and the admin console got accuracy and tidy-up fixes.

Added

  • "Suspend" a release from the Versions screen — if a freshly-published version has a critical bug, suspend it and it immediately stops reaching customers' update checks (they stay on the previous good version); a direct download of it is refused with a clear reason. Resume puts it back, and publishing a newer version clears the suspension automatically. Every suspend/resume is recorded in the audit log.

Updated

  • More reliable payment records — the details behind each payment (linked license, bundle, discount, and so on) now live in proper, queryable fields instead of being packed into a text description. Nothing changes day-to-day; it makes payment reporting and refunds sturdier.

Fixed

  • The Maintenance screen now shows the real task schedule — the scheduled-task times were out of date; they now match when the jobs actually run (the daily jobs run overnight, database maintenance runs weekly on Sunday).
  • Desktop-app update endpoints send stricter security headers, plus a round of admin-console visual-consistency polish and dead-code cleanup.

[1.9.0] - 2026-06-30 — Redesigned Hub, a new Payments & refunds console, and partner-portal improvements

A large update to the licensing & partner Hub. The entire admin console and customer portal have been redesigned with a refreshed look, full dark mode, and faster, cleaner screens. Admins get a new Payments screen that lists every payment across all customers and a single Refund action that handles each payment type correctly — with safeguards so a refund can never accidentally cut off a live customer site. Partner-portal wording and navigation were tidied up, and a licensing rule for referral partners was tightened.

Added

  • New admin Payments screen — one place to see every payment across all customers, including standalone bulk-pack, site-license and commitment purchases that never appeared in the admin before, with status/type filters, search, and a clear refund-eligibility breakdown per payment.
  • Live admin overview metrics — new summary cards for customers, subscriptions (monthly revenue, active, cancelled, expiring soon) and partners (pending applications, commissions owed, payouts).
  • Per-site license deactivation from the license detail view, so you can free a single seat without revoking the whole license.
  • Recipient counts when composing a notification, so you can see how many customers a message will reach before sending it.

Updated

  • Redesigned admin console (every screen) and customer portal in the new "Aurora" design system — refreshed typography and colours, a light/dark theme toggle, grouped navigation, a conversation-style Tickets view, and faster, lighter charts. Every existing action and data view is preserved.
  • Partner dashboard for referral partners reworked to clearly show available balance, commission rates and a streamlined payout-request flow; the customer dashboard now shows "Referred customers" for referral partners.
  • Admin Subscriptions now shows each customer's actual account role (not just the billing plan), adds a "View by: Role / Plan" toggle, and lists all of a customer's payments in the detail view.

Fixed

  • Refunds are now safer and more complete. A single refund tool handles every payment type and always reverses partner commissions; bulk-pack refunds are blocked while their licenses are still live; license renewals can now be refunded (the renewed year is reverted) instead of needing support; and every refund respects the 30-day window. Behind the scenes the payment-provider reversal is more resilient to network errors, so a refund can't be sent twice.
  • Partner portal clarity — bulk packs are now clearly shown as a Managed add-on (not a separate model), onboarding no longer re-asks details you've already provided, and the partner menu only shows the sections that apply to you.
  • Referral partners can no longer create free, sellable licenses while also earning referral commissions.
  • Dark-mode tables no longer show a harsh bright divider line between rows.

[1.8.0] - 2026-06-23 — Licensing catalogue update & update-server endpoints

Registers the new HR module in the licensing catalogue so it's correctly recognised at the Business tier, and adds update-server endpoints used by an upcoming desktop companion app.

[1.7.0] - 2026-06-15 — License grace period

When a license expires, the Hub now keeps it valid through a configurable grace window (Subscription Settings → Grace Period), so sites that opt in keep their premium features while they renew. Revoked or suspended licenses are never granted grace, and renewal reminders now also go out 14 days ahead.

[1.6.1] - 2026-06-08 — Reliable component updates for beta-channel sites

A patch fixing a component-update issue for sites on the beta channel. After a beta release was promoted to stable, a beta-channel site could stop seeing updates for individual components (for example a payment gateway, or the plugin's core component) — the update server kept offering an older pre-release build instead of the newer stable one. The server now always offers and delivers the newest available build per channel, so a beta site is never left on a component older than what stable already has. Stable-channel sites were unaffected.

[1.6.0] - 2026-06-01 — Add-on pack delivery & safer version uploads

A minor update to the licensing & update server. It adds support for delivering add-on packs (such as the AI Pack) through the existing update channel, and hardens the admin version-upload flow by validating that an uploaded ZIP matches the product it's being uploaded to — preventing a wrong-file upload from reaching customer sites.

Added

  • Add-on pack delivery — the Hub can now host and serve cross-product add-on packs, so new capabilities (like the AI Pack) install through the same one-click update channel as everything else.
  • Upload safety check — when an admin uploads a new product version, the Hub now verifies the uploaded ZIP's contents match the destination product and rejects mismatches up front.

Fixed

  • Corrected the upload validator so legitimate plugin packages whose main file is named differently from their folder are accepted.

[1.5.2] - 2026-05-11 — Dev/beta sites correctly receive newer beta and stable releases

A focused patch that fixes a release-channel cascade bug. Customer sites on the dev or beta release channels were stuck on older releases even after a newer beta or stable build was published — the Hub kept serving the older dev/beta build until the operator manually retired the older version.

Fixed

  • Dev and beta sites now correctly fall through to newer releases. Previously, when a newer beta build was uploaded to the Hub, any older dev builds for the same product stayed "active" in the version cascade — sites on the dev channel kept seeing the older dev build as the latest available. Same for older beta builds after a newer stable shipped. The Hub now automatically marks older lower-channel versions as superseded whenever a higher-channel version is uploaded. No operator action needed — uploading a beta automatically retires older dev rows; uploading a stable automatically retires older dev and beta rows. Old version artifacts remain available on disk (no data loss), they just stop being served as "the latest available" for that channel.

[1.5.1] - 2026-05-05 — Faster admin dashboard + faster support ticket list + faster auto-renewal cron

A focused patch release that tightens 5 database access patterns across the Hub. All improvements are server-side — no UI or API changes; you'll just notice things load faster.

Fixed

  • Faster Hub admin dashboard — the dashboard's overview stats (license counts, active customers, recent activity) now load with 50% fewer database round-trips. Visible improvement: ~30-60 ms saved per dashboard load, more on cold cache.
  • Faster admin Support Tickets list — list page no longer loads the full body of every message just to count them per ticket. Saves ~50-150 ms per render when you have 50+ tickets each with 10+ messages.
  • Faster license auto-renewal cron — the daily auto-renewal task now batches its database queries instead of running them per-partner in serial. At 1000+ partners with managed sub-customers, this cuts the cron runtime from ~30 seconds to under 2 seconds.
  • Faster component downloads — eliminated a redundant database lookup in the per-component download path. Saves a few milliseconds per download, but those add up across the customer fleet.
  • Faster /check-updates responses — every WordPress site checking for product updates (every ~12 hours by default) now hits the Hub with one less query. At fleet scale the savings compound meaningfully.

[1.5.0] - 2026-05-05 — Stale-activation cleanup admin tool + faster Partners list

A focused minor release with two operator-facing improvements plus internal infrastructure for a future internal-only release stream.

Added

  • "Cleanup Stale Activations" admin tool on the Licenses page. When a development or staging domain accumulates orphan activation rows over time (testers cycling license keys), this tool deactivates them in one click. Enter the domain, optionally provide a comma-separated list of license keys to keep active on that domain, confirm the destructive action, and the tool deactivates everything else. Audit-logged for traceability. Use case: dev VPS that ended up with 4 active rows when only 2 were in actual use.

Fixed

  • Faster Partners list page for environments with many managed partners. Removed a per-partner database lookup that was scaling poorly at 25+ partners; replaced with a single bulk pre-fetch. Also closed an O(N²) merge step. Visible improvement: ~1.25 seconds saved per page render at 25 managed partners (more on cold cache). Files affected: admin Partners list endpoint.

[1.4.0] - 2026-04-30 — Release Channels infrastructure + admin UI + webhook security hardening

Minor release closing the Release Channels infrastructure for Theme/Plugin/Core update flow, an admin UI for managing channels and beta access, plus webhook security hardening.

Added

  • Release Channels infrastructure for product updates. Theme, Plugin, and Flavor Core updates now flow through Stable / Beta channels just like components. Sites participating in beta cycles receive the latest applicable beta version; sites on stable receive only stable releases. Per-license beta access is admin-controlled — the Flavor team grants beta access per license on request.
  • Admin UI for channel management on the Versions and Licenses pages: channel badges (Stable / Beta), side-by-side stable + beta cards per product, "Promote to Stable" button on beta versions, inferred-channel hint as you type the version in the upload form, replace-target preview ("This will replace beta v9.2.0-beta.1"), and a Beta Access toggle column on the Licenses table.
  • License API now exposes Beta Access. Activation responses, license list responses, and the admin license PATCH endpoint all support the beta_enabled field — used by Flavor Core to enable the Beta radio in Flavor → Settings without waiting for the next verify cycle.
  • Update download endpoint accepts release_channel query parameter as a fallback for clients that can't send custom headers (e.g. WordPress's built-in download_url() helper). Headers still take precedence when both are provided. The license-side beta gate remains enforced server-side regardless of how the channel is declared.
  • SSRF protection on portal-controlled webhook URLs. Reseller and agency portal users were previously able to register arbitrary webhook URLs that the Hub would POST to during webhook delivery — including private network addresses, cloud metadata services (AWS / GCP / Azure / Alibaba / Oracle), and loopback. New validator rejects all of these at registration time and re-validates DNS at delivery time to defeat DNS-rebinding attacks. HTTPS enforced in production. Redirect-following disabled. Truth-table verified across IPv4, IPv6, and hostname-rebinding scenarios.

Fixed

  • Beta version updates now reach beta sites correctly (critical). A version-comparison bug in the component-update endpoint silently treated every pre-release version (e.g. 1.1.0-beta.1) as version (0,), so beta sites comparing against their installed stable always saw "no updates available". Caught during pre-release code review. Fixed with a SemVer-aware comparator that correctly orders pre-release versions (alpha < beta < rc < stable; higher beta numbers > lower; stable always > any beta of the same X.Y.Z).
  • Pre-release version strings can no longer accidentally clobber the stable channel pointer. Defense-in-depth across all admin component endpoints — POST, PUT, and the upload sync path all now reject pre-release strings as a component's current_version. The current_version field is what stable subscribers receive on update checks; setting it to a beta string would have locked stable customers onto the beta version until manual database surgery.
  • Component-level beta uploads now replace within the same channel instead of accumulating new rows per beta cycle iteration. Each --beta=N upload now removes the previous beta row + file from disk before inserting the new one (audit trail preserved via deletion log entries). Stable rows are never touched by a beta upload, and vice-versa.
  • Customer portal session security hardening verified across all paths. The token_version keystone (added Apr 27 to admin sessions) was extended to customer sessions in the same release. Verification confirmed the customer portal half is fully implemented: every session token carries the user's token_version claim, every refresh and authenticated request verifies it, password change runs current-password reauth and increments the claim (invalidating all existing sessions), and password reset increments the claim (invalidating sessions on the leaked-credential path).

[1.3.0] - 2026-04-27 — Security hardening release

Major Hub release closing audit findings across authentication, trust chain, and webhook integrity. Two database migrations introduce a token-version mechanism that lets every password change, 2FA enable, or password reset instantly invalidate every active session everywhere — closing the post-compromise persistence chain. Brute-force protection is hardened end-to-end (Cloudflare CAPTCHA fail-closed, accurate per-IP rate limiting via reverse-proxy headers, per-username throttle on top of per-IP). The settings UI gains reveal-on-demand for secret values, the manifest endpoint refuses unsigned payloads, component downloads require fingerprint binding, and the Viva Wallet webhook independently re-verifies every transaction against Viva's API. Two new database migrations applied automatically on first boot.

Added

  • Token-version mechanism for sessions. Every password change, 2FA enable / disable, or password reset now instantly invalidates ALL outstanding access and refresh tokens — across browsers, devices, and any stolen sessions. Two new database migrations (053, 054) applied automatically on first boot. Existing logged-in admins and portal users will be asked to log in again after the upgrade — this is expected.
  • Per-username login throttle. Beyond the existing per-IP rate limit, the Hub now also tracks failed logins per username. Ten failed password attempts on the same account within an hour return a 429 with a clear "too many attempts" message — closes the IP-rotation bypass against brute-force attacks.
  • Secret reveal endpoint with re-auth. A new POST /admin/settings/reveal/{key} endpoint returns the full plaintext value of a secret setting after the admin re-enters their password. Every reveal is audit-logged; failed attempts are also logged. Use the new "Reveal" button in Settings UI for any redacted field.
  • License-share protection on component downloads. Component download endpoint now requires a fingerprint header that matches the activation's bound fingerprint. A leaked license key alone is no longer enough to download components — the hardware fingerprint must also match. Requires Plugin v9.1+ and Theme v5.1+ on the customer side.
  • Manifest signing is now mandatory in production. The Hub refuses to serve unsigned feature manifests; the FastAPI app refuses to start in production mode without a configured signing key. Closes the silent tier-escalation chain when the key environment variable was accidentally unset.

Updated

  • Admin settings show secrets redacted by default. SMTP password, Brevo / Viva / Turnstile API keys, webhook secrets, and similar fields now appear as ***<last4> in the Settings UI. The actual value is fetched on-demand via the new "Reveal" button (re-auth required). The Settings PUT handler also detects when the redacted preview is echoed back unchanged and preserves the real secret — saving Settings without changing anything no longer corrupts your secrets.
  • Reverse-proxy header configuration corrected. uvicorn now starts with --proxy-headers --forwarded-allow-ips, so per-IP rate limiting reflects real client IPs (forwarded by Nginx) instead of always seeing the loopback address. Single attackers can no longer exhaust the global rate-limit bucket and lock out legitimate users.
  • Ticket attachments — SVG removed + sandboxed download. SVG attachments are no longer accepted (they can carry inline <script> and execute in the admin/portal context). Downloads always force Content-Type: application/octet-stream plus a CSP sandbox header — even if a renderable type slips through, the browser cannot execute scripts in the response context.

Fixed

  • 2FA bypass via temp-token closed. The temporary token returned during the post-password / pre-2FA step can no longer be used as a regular Authorization: Bearer token against admin endpoints. It now correctly errors with "2FA verification required" — the post-password / pre-2FA window is no longer exploitable.
  • Cloudflare Turnstile failures now block login (fail-closed). When the Turnstile verification call fails (Cloudflare outage, network blackhole, etc.), the Hub now refuses the login attempt with a 400 instead of waving the request through. Brute-force protection MUST fail closed; the rare-outage 5-minute disruption is preferable to unlimited free attempts.
  • Password change now invalidates other sessions + sends notification email. When you change your admin password, an email is sent to your address with a "if this wasn't you" link, and any other active sessions (other browsers, mobile, captured tokens) are invalidated immediately. Stolen-cookie account-takeover persistence is closed.
  • 2FA enable / disable now require current password. Previously, an attacker holding a stolen access token could call /2fa/enable with their own TOTP secret and lock out the legitimate admin. Both /enable and /disable now require the current password as a second factor.
  • Viva Wallet webhook independently re-verifies every transaction. The webhook handler now calls Viva's API for every incoming notification and asserts that the OrderCode, status, and amount match before flipping any payment to COMPLETED. Forged webhook calls are rejected without any state mutation. Most severe finding in the Hub audit — closed.
  • Ticket-attachment path traversal closed. The user-supplied filename is now stripped of directory components and stored as <uuid>.<ext>; the original name survives only in the database for display. Containment checks on both upload and download ensure files cannot escape the upload directory. Closes a path-traversal vector that could have led to remote code execution.

[1.2.0] - 2026-04-24 — Flavor Core update support & component re-upload

Pair-release with Flavor Core v2.1.0 — unblocks Core clients from receiving updates and adds an admin option to re-upload a component ZIP without bumping its version (useful for same-version hotfixes or bulk migrations).

Added

  • Flavor Core update channel. The Hub now recognises Flavor Core as a managed product, so existing Core installations can check for and install updates through Flavor → Dashboard on the customer site.
  • Force re-upload for components. Admins can now overwrite an existing component version with a new ZIP (new file content, same version string). The previous ZIP is removed atomically and both actions are audit-logged.

[1.1.0] - 2026-04-20 — Partner Programs, Agency Tools, Credit Billing & Tax System

Session focus: 188 entries accumulated since the v1.0.0 baseline. Major additions across partner programs (Referral + Managed), Agency tools (Bulk Packs + Commitment Tiers), Credit/Net-30 billing, VAT/Tax system, email system overhaul (23+ templates), announcement system, unified cron logging, and a wide cleanup pass with 41 fixes — many uncovered by the increased integration surface.

Added

Partner Programs (Referral + Managed)

  • Partner Model Selection — New page with Referral + Managed options. Earnings tables, how-it-works steps, example revenue, RRP+MAP policy. POST /portal/partners/select-model with 12-month lock. GET /portal/partners/model-status
  • Partner Onboarding Flow — Company info (name, VAT, tax office), IBAN, terms acceptance. Auto-redirect. Sidebar locked until both steps complete
  • Forced Model Selection — Reseller/Agency sidebar locked (Add/Upgrade Site, Clients, API Keys, Webhooks) until partner model selected. Dashboard auto-redirects
  • Portal Partner Dashboard — 4 stats cards, referral link with copy, commission rates, payout request, profile edit, commission history, payout history
  • Initial/Renewal Commission Split — Separate rates per tier (Certified 25%/15%, Premium 30%/20%)
  • Commission Auto-Confirm Cron — Daily: auto-confirms PENDING commissions past refund window + premium tier auto-upgrade threshold checks
  • Referral Attribution — Referral badges on admin Customers + Partner Dashboard "Referred Customers" section. GET /portal/partners/referrals
  • Managed Partner Model — Buy licenses at partner discount (configurable % off RRP), manage clients end-to-end. No commission (anti-double-dipping)
  • Managed Partner Billing Mode — Prepaid/Credit selection after onboarding. Free license creation blocked for managed+prepaid
  • Managed Add Site (Partner Pricing) — Dedicated paid purchase flow. Bundle cards with RRP strikethrough + discount price + "Save €X" badges. Sub-client "Create for" dropdown
  • Dynamic Partner RatesGET /portal/partners/rates endpoint. Model selection reads live rates from admin settings
  • Per-role Partner Settings — Separate commission/discount rates for Reseller vs Agency
  • Payout Request Schedulingpartner_payout_mode (free/scheduled) + partner_payout_days settings
  • Min Payout Enforcementpartner_min_payout_cents from admin settings (default €50)
  • Admin Partners Management Page — List with search/status/tier filters, expandable detail rows, approve/suspend/revoke actions, tier upgrade/downgrade
  • Partner Personal/Business Account Type — Referral partners choose Personal (full name + IBAN) or Business (company/VAT/tax office/IBAN). Managed/Agency auto-use Business

Agency Tools (Bulk Packs + Commitment Tiers)

  • Agency Upgrade Path — Reseller→Agency application flow with admin approval. Portal "Apply for Agency" button with pending/rejected/re-apply states
  • Agency Apply from Developer — Developers can apply for Agency directly (no Reseller step)
  • Agency Model Selection — Role-aware: Agency sees 4-card layout (Managed/Bulk Packs/Commitment Tiers/Custom Partnership), Reseller sees 2-card
  • Agency Inquiry Questionnaire — 8-question form. Auto-creates HIGH priority support ticket with formatted answers
  • Bulk License Packs — Full Purchase Flow — BulkPackPurchase model + AgencyLicenseLink join table. Viva checkout → provision all licenses immediately. 3 new endpoints
  • Bulk Pack Credits System — Packs no longer provision licenses instantly. Credits stay until consumed (no expiry). License creation deducts credits
  • Pack Credits Bundle Restriction — Business card shows "Upgrade with cost" (Viva at partner discount) when deploying from Starter pack. Theme always free
  • Commitment Tiers — Enrollment + Purchase Flow — Free enrollment, per-license purchase at committed rate, auto-complete when target met. 5 new endpoints
  • Commitment Penalty Cron — Daily: expired enrollments → PartnerInvoice → auto-charge card-on-file
  • Agency License Trackingagency_license_links table groups licenses to bulk packs or commitments without adding columns to the core licenses table
  • Model-Aware Partner Dashboard — 4 layouts: Referral, Managed, Bulk Pack, Commitment. ModelInfoSection with switch status + blockers
  • Model Lock System — Consume credits first / complete target or wait / 12-month time lock. Cross-model purchase blocked
  • Admin Pack/Commitment Management — 4 admin endpoints. Admin Partners page shows pack/commitment tables in expanded detail
  • Bulk Pack Refund — Viva refund + revoke all linked licenses. Portal + Admin endpoints

Billing & Payments

  • Developer "Add Site" Paid Flow — Purchase additional sites via Viva. Each purchase creates 2 licenses (theme + plugin) or 1 (theme-only). Site-based counting
  • "Add / Upgrade Site" Portal Page — Buy New License (3 bundle cards) + Upgrade License tab
  • Per-License Upgrade — Pro-rated Starter→Business. Free instant upgrade if price diff ≤ 0
  • PaymentType.LICENSE_UPGRADE — New enum + purple "Upgrade" badge + "(from Order #X)" reference on upgrade orders
  • Free Reseller/Agency Upgrade — Customer→Developer/Reseller, Developer→Reseller. Auto-creates Partner profile
  • Role Upgrade Gate — Customers need ≥1 active license with activated domain before upgrading
  • Admin Customer Role Management — Inline dropdown to change customer type
  • Per-Order Cancel/Refund Systempayment_id FK on licenses. Refund window per-payment. PortalRefund.jsx page
  • Bulk License Actions — Admin: bulk-revoke + bulk-delete (max 200). Portal: same (max 100, ownership validated)
  • Credit Mode (Net-30)partner_invoices tables. Free license creation for credit partners. Credit limit enforcement (€5000 default). Monthly auto-finalization. Overdue marking. Auto-revoke after grace period
  • Card-on-File — Viva card tokenization for managed partners. Auto-charge sent invoices. +5% extra discount (configurable)
  • Billing Mode Switching — Prepaid→Credit always allowed. Credit→Prepaid only if no open invoices
  • Dedicated Billing Page (/portal/billing) — Full billing management for credit-mode partners. 5 summary cards. Invoice table with filters. Pay Now via Viva
  • Partner Invoice Tax Supporttax_amount_cents, tax_rate, gross_cents columns. Credit-mode calculates tax per item. Portal invoice table shows Net/Tax/Total columns

License Management

  • NFR License System — Not-For-Resale demo licenses for partners. Auto-provisioned on onboarding (Certified=1 site, Premium=2 sites). Business tier, no expiry
  • NFR license terms + monitoring — Explicit NFR clause in Partner Agreement. Admin endpoint shows activated domains, days active, "90d+" flag for suspicious long-lived activations
  • License Renewal Systemlicense_renewal_service.py with managed-rate pricing. Expiry badges (30/15/7/1 day color-coded). Expiring banner with "Renew All" button
  • License Auto-Renewal System — Daily cron (2 phases): credit-mode invoice renewals + bulk pack renewals (FIFO credits, fallback to invoice)
  • Portal License Filteringsource field (individual/bulk_pack/commitment/nfr). Query params: status, source, search. Color-coded source badges
  • Smart Upgrade/Downgrade cycle — Business→Starter downgrade auto-refunds the upgrade payment if within refund window. Re-upgrade after non-refunded downgrade is free
  • Referral graduation — When a referred customer upgrades to Reseller/Agency, referral link cleared. Existing commissions preserved
  • Partner commission transparency — "Pending" stats card with refund window explanation. Estimated confirmation date per commission

Communications (Notifications, Email, Announcements)

  • Admin Notification Belladmin_notifications table + API. Bell icon with unread badge. Triggers: payout requests, refunds, cancellations
  • Email System Overhaul — 15 new email templates (partner, payout, subscription, commission, admin-directed emails)
  • 8 Agency Email Templates — bulk_pack, commitment (4 variants), license_renewal (3 variants)
  • 3 Invoice Email Templates — invoice_finalized, invoice_paid, invoice_overdue. CTA buttons to /portal/billing
  • Invoice Charge Failed Email — Sent when auto-charge fails
  • Renewal Email Templates — pack_renewal + credit_renewal configurable
  • Role Upgrade Email — Sent when account upgraded. Portal + documentation link
  • Email Log Systememail_logs table tracks every outgoing email. Admin page with stats cards, filters, paginated table
  • Test Email per Template — "Send Test" button on each template. Renders with sample data, sends with [TEST] prefix
  • Email Deliverability Improvements — Plain text alternative, Reply-To header, RFC 2046 compliant multipart/alternative. Brevo tracking disabled
  • Announcement System — Admin-to-portal: HTML body, type, 16 placement options, targeting, scheduling, dismissible, popup show-once
  • Ticket Bell Notifications — New ticket → admin bell. Customer reply → admin bell. Admin reply → portal bell
  • Support Badge — Sidebar shows active ticket count with 30s polling
  • Ticket Email URLs — Admin emails include "View Ticket" button

System, Admin & Security

  • Email Verification System — New customers must verify email before portal access. Register sends verification (24h token). Login blocks unverified. Existing customers auto-verified
  • Maintenance System — Cron with 10 cleanup tasks (orphans, stale, expired, old logs, VACUUM). Admin Settings tab with retention config + "Run Now" button
  • Unified Cron Logging Systemcron_runs table. All 8 scheduled tasks log execution results. Admin "Cron Task History" section with color-coded badges, filter, 30s auto-refresh
  • Tax/VAT Settings System — Configurable default rate, display label, inclusive/exclusive mode, tax-exempt customer selector. Public /tax-info endpoint. Integrated into all 4 payment flows. Backward-compatible
  • Customer "Created By" Tracking — Source column + filter dropdown on admin Customers. Color-coded badges (self/admin/partner)
  • Hub Version Display — Version shown at bottom of both Admin and Portal sidebars
  • Bulk Packs & Commitments no longer exclusive models — Any Agency partner can purchase regardless of current model
  • Bulk Packs: Monthly billing removed — Non-functional monthly option removed. Annual billing only
  • Personal account Referral-only — Managed/Agency models require Business account
  • Model switch resets onboarding — Partner must re-complete profile for new model
  • IBAN Optional for Non-Referral — Only Referral model requires IBAN (for commission payouts)
  • Admin Pricing: % Discount Model — Bulk Packs + Commitment Tiers use % discount instead of cents

Updated

  • Commitment Tiers: Client-based deployment — Licenses deployed through Add/Upgrade Site with mandatory client selection. New CommitmentPrepaidFlow component. CommitmentSummary card on Partner Dashboard
  • Commitment Tiers: Add-on architecture — Commitment is now an add-on (not exclusive model). Any Agency can enroll regardless of partner_model
  • Viva Webhook: All 6 payment types — Rewritten to route by PaymentType. Previously only handled subscriptions — other payment types were silently lost if browser closed before redirect
  • Commission on net amount — Calculated on amount - tax instead of gross. Prevents overpaying partners by tax rate percentage
  • Email URLs dynamic — 5 email senders replaced hardcoded PORTAL_URL with dynamic lookup from admin settings
  • Email deduplication — 30-second dedup prevents duplicate emails from Viva webhook + frontend race conditions
  • Welcome email — Added documentation link
  • Onboarding validation — VAT number + Tax Office required for Business account type
  • Auto-renewal: sub-client licenses — Now includes sub-client licenses (previously only partner's own)
  • Upgrade refund revert — Now checks sub-client licenses (Agency upgrading client's license can be reverted)
  • Hub Backend Reorganization — Monolithic route files split into sub-router packages. 4 new services. 84/84 endpoints preserved, zero behavior change
  • Card-on-File Discount — Prepaid Viva checkout now applies card extra discount. /rates endpoint returns effective discount
  • Settings UI — Email Templates tab grouped (Customer, Auto-Renewal, Partner, Admin) with collapsible sections
  • Sidebar nav — Model-aware sidebar items. Developer: "Add / Upgrade Site". Reseller/Agency: model + onboarding gated
  • Commission rates from settings — Read from hub_settings instead of hardcoded
  • License schema — LicenseResponse includes is_nfr + source fields
  • Partner Dashboard — Model-aware: 4 layouts. Payout/Commission sections only for Referral
  • Default payout frequency — Changed from quarterly to on_demand
  • Admin Customer ID Column — New #ID column for quick reference
  • Licenses Search Expanded — Matches license key + customer email + customer name
  • Cloudflare Turnstile CAPTCHA — Configurable via admin Settings → Security. Protects admin login, portal login, portal register. Graceful fallback
  • Email Verification Badge — Admin Customers: orange ! for unverified, green checkmark for verified
  • Unverified Customer Cleanup — Maintenance deletes unverified customers after retention days (default 7). Skips customers with licenses/subscriptions
  • License Re-activate — Revoked → active (no charge). Invoiced licenses cannot be deleted, only revoked/re-activated
  • Duplicate License Warning — Frontend confirmation when creating licenses for a client that already has 2+ active licenses
  • Managed Credit Add Site — Partner discount pricing (RRP strikethrough + discounted). Creates license directly + adds to monthly invoice
  • Partner Invoices Tab — Subscription page shows Invoices + Payment History tabs for partners with invoices. Unpaid count badge
  • Remove Card-on-FilePOST /remove-card with safety checks. Auto-switches Credit→Prepaid on card removal
  • Managed Credit Card Lock — Credit billing mode without card-on-file locks sidebar features. Unlocks when card saved
  • Managed Model Switch Conditions — Replaced 12-month time lock with financial checks: no unpaid invoices + no active licenses
  • Payout Frequency Cleanup — Removed cosmetic dropdown (not enforced). IBAN field Referral-only
  • Referral Model Switch — Referral partners can switch without 12-month lock, provided: no pending balance, no active payouts
  • Default email sender — Changed from noreply@flavorteam.dev to hub@flavorteam.dev
  • Admin Customers page — New "Source" column with filter dropdown
  • Admin Partners page — Expanded detail includes Bulk Packs + Commitments sections
  • Component admin PUT: current_version updatable — Upload script can sync versions without re-uploading ZIPs
  • Admin Licenses: Bundle/Theme Only — Replaced individual product dropdown with "Bundle" / "Theme Only" selection. Bundle creates 2 licenses automatically
  • Portal Downloads: Flavor Core exempt — Flavor Core always downloadable regardless of Download Access Control setting
  • Cron Logging: Partner Detailsprocess_partner_invoices cron logs failed_partners string
  • Auto-charge: Enriched Failures — Returns failure details (partner_id, invoice_number, error, customer info) instead of just a count
  • Subscription Expired Email Wired — Was dead code. Now triggered when subscription actually expires

Deprecated

  • DELETE /portal/licenses/{id} (Developer/Reseller/Agency) — Portal-side license deletion removed for paid accounts. Endpoint now returns 410 Gone. Use POST /revoke + POST /reactivate instead. Prevents accidental loss of paid license slots without refund. Admin retains delete capability.
  • Free sidebar access for Reseller/Agency — Previously full sidebar access immediately after role upgrade. Now locked (Add/Upgrade Site, Clients, API Keys, Webhooks) until Partner Model is selected + onboarding completed.

Fixed

  • Double-refund vulnerability on per-order refundsrefund_eligible only checked status + window. After an upgrade, original payment still refund-eligible with zero linked licenses. Fixed: now also requires has_active_licenses
  • License upgrade orders empty in Manage Orders — Didn't link license to upgrade payment. Fixed: upgrade orders now look up license from description
  • License upgrade refund didn't revert tier — Only tried to revoke. Fixed: upgrade refunds now revert Business→Starter
  • Duplicate commissions on payment — Viva webhook + frontend PaymentSuccess race condition. Fixed: check if commission already exists for payment_id + partner_id
  • Renewal authorization bypassconfirm_bulk_renewal didn't verify payment ownership. Fixed: customer_id validated against payment.customer_id
  • Lifetime licenses renewable via API — Submitting a lifetime license for renewal would downgrade it to 1-year expiry. Fixed: excluded from both initiate and confirm paths
  • Auto-promote missing NFR provisioning — Auto-promoted Certified→Premium partners missed their NFR entitlement. Fixed: now provisions NFR licenses same as admin path
  • Mock Card Token False Charges — Skips MOCK_* card tokens. Eliminates daily "charge failed: 1" from testing data
  • Pack Credits: 2 credits consumed per site — 10-pack now correctly covers 10 sites (was 5 before fix)
  • DB Constraints & Indexes — Partial unique index on active commitments, CHECK constraint on AgencyLicenseLink, indexes on commissions/commitment_enrollments/bulk_pack_purchases
  • Missing Settings Seed — 30+ hub_settings seeded (previously invisible in admin UI)
  • Notification dropdown left overflow — Bell dropdown extended into main content area via left-0
  • Emails going to junk folder — Added plain text alternative + Reply-To header for Brevo + SMTP
  • Downloads 500 for Reseller — Fixed scalar_one_or_none() crash when multiple active subscriptions exist
  • func not imported — NameError in _count_customer_sites() fixed
  • Viva create_payment_order missing argmerchant_trns required positional argument added
  • Alembic version_num too long — Migration ID shortened to 026_license_purchase
  • Site purchase confirm found upgrade payments — Now rejects payments with license_id= in description
  • PaymentSuccess.jsx missing closing bracket — 7-level cascade had 6 closings
  • _safe_int() for empty DB valuesint('') crash on empty hub_settings. All pricing services now use helper
  • Triple payment confirmation email — Removed duplicate webhook email, added 30s dedup
  • Referral customer source "Self-registered" — Fixed: "partner" when referred_by_partner_id is set
  • Viva webhook LICENSE_UPGRADE missing customer — Webhook now loads customer from payment.customer_id
  • Commission.subscription_id NOT NULL — Nullable for Agency payment types (bulk_pack, commitment)
  • EmailLog + AdminNotification not in models/init.py — Alembic autogenerate can now detect schema changes
  • Maintenance expired commitments before penalty — Only expires commitments with penalty_assessed=True
  • Billing mode credit not blocked server-side for commitment — Server-side check for active commitment enrollment added
  • Per-order refund for bulk/commitment payments — Server-side type check enforces MANAGED_ELSEWHERE exclusion
  • Refund email "5-10 business days" — Changed to "1-5 business days, depending on your card issuer"
  • DownloadLog.created_atdownloaded_at — Maintenance task fixed
  • enabled must be boolean — PortalDashboard fixed with !!hasSubscription
  • FK cascade on customer delete — Agency tables cleaned before payments
  • FK cascade on license deleteagency_license_links cleaned before license deletion
  • Portal licenses not showing (selectinload) — Split into 2-step fetch
  • Non-partner role gate — Customer/Developer at /portal/partner now shows upgrade message
  • 6 broken email calls — Replaced template_name passed as to_email with named sender functions
  • FastAPI route shadowing — Literal paths moved before parametric route
  • Theme Only subscription charged Starter price — Checkout endpoint now handles theme bundle
  • Credit Add Site 405 — New POST /partners/add-site endpoint with bundle→licenses+invoice logic
  • Credit License Upgrade "not found" — Fixed to also check sub-client licenses
  • FINGERPRINT_PRIVATE_KEY base64 padding — Auto-pad prevents crash when env var is missing trailing =

[1.0.0] - 2026-03-30 — Initial Public Release

The first public release of Flavor Hub — the licensing, subscription, and partner management portal for the FlavorTeam ecosystem.

Portal & Account Management

  • Registration & Login — Email/password registration with referral code support, JWT authentication
  • Email Verification — Required for new accounts (24-hour verification link, resend capability)
  • Cloudflare Turnstile CAPTCHA — Bot protection on registration and login
  • Password Reset — Secure token-based reset flow (15-minute expiry)
  • Profile Management — Update name, company, change password
  • Role Upgrades — Free self-service: Customer → Developer → Reseller. Agency requires admin approval

Subscriptions & Payments

  • Subscription Plans — Starter, Business, and Theme Only bundles with monthly/yearly billing
  • Viva Wallet Integration — Secure checkout for subscriptions, site purchases, upgrades, bulk packs, commitments
  • Auto-Renewal — Toggle on/off for automatic subscription renewal
  • Refund System — Full refund within configurable window (default: 30 days) + per-order refunds for Developer+
  • Site Purchase — Buy additional site licenses beyond plan allocation
  • License Upgrade — Starter → Business with pro-rated pricing
  • Tax/VAT Support — Configurable tax rates with inclusive/exclusive display

License Management

  • Auto-Provisioned Licenses — Created automatically on subscription purchase
  • License Tiers — Starter and Business with feature gating via Ed25519-signed manifest
  • Activation/Deactivation — Activate on domains, deactivate to transfer between sites
  • Self-Service Creation — Developers (up to limit), Resellers/Agencies (unlimited), bulk creation up to 100
  • Renewal — Bulk renewal via checkout, auto-renewal for partners with card-on-file
  • Revoke, Reactivate, Delete — Full lifecycle management with bulk actions (up to 100)
  • Filtering — By status, source (individual/bulk_pack/commitment/nfr), search by key or domain
  • NFR Licenses — Demo licenses auto-provisioned for partners during onboarding

Downloads & Updates

  • Product Downloads — Latest versions with active subscription
  • WordPress-Native Updates — Automatic update notifications and downloads
  • Component Delivery — Individual component downloads gated by license tier

Support

  • Tickets — Create, reply, close with unique numbers (FH-XXXXX)
  • File Attachments — Up to 3 files per message (5MB each, 10 supported types)

Partner Program — Referral Model

  • Referral Code — Unique FLV-XXXXXX code for customer acquisition
  • Commission Tiers — Certified (25%/15%) and Premium (30%/20%) for initial/renewal
  • Payout System — Request payouts of confirmed commissions (minimum threshold, schedule-aware)
  • Premium Auto-Upgrade — Automatic tier upgrade at configurable thresholds

Partner Program — Managed Model

  • Discount Pricing — Certified 25%, Premium 30% off RRP + extra card-on-file discount
  • Prepaid Billing — Pay per license via Viva checkout
  • Credit Billing (Net-30) — Instant license creation tracked on monthly invoices, credit limit enforcement
  • Card-on-File — Auto-charge invoices, extra discount, secure card management

Partner Program — Agency

  • Bulk Packs — Volume-discounted license packs (10/20/30) at 25-45% off with credit tracking
  • Commitment Tiers — Annual commitments (Bronze/Silver/Gold) at 30-50% off with progress tracking and year-end penalty
  • Agency Inquiry — Structured partnership questionnaire

Partner Onboarding

  • Business Profile — Company, VAT (VIES-validated), tax office, IBAN
  • Model Selection — Choose Referral or Managed with condition-based switching
  • NFR Provisioning — Demo licenses on successful onboarding

Developer API & Webhooks

  • API Keys — Up to 10 keys (fh_live_* format) for programmatic license and client management
  • License API — List, create, bulk create, revoke, reactivate, delete, change tier
  • Client API — Sub-client CRUD with license viewing
  • Webhooks — 5 events (license created/activated/deactivated/revoked/expired), HMAC-SHA256 signatures, delivery logs, test endpoint
  • Rate Limiting — Per-endpoint limits

Notifications & Announcements

  • In-App Notifications — Product-specific with unread badge and read tracking
  • Announcements — Targeted by role/model/subscription, 4 types (info/warning/success/critical), multiple placements, personalization, dismissible

Email

  • 23 Templates — Registration, verification, subscriptions, commissions, partners, renewals, admin alerts
  • Deliverability — Plain text alternatives, Reply-To headers, SMTP & Brevo support

Public API (WordPress Integration)

  • License Endpoints — Activate, deactivate, verify
  • Update Endpoints — PUC-compatible check, info, and download
  • Component Delivery — Tier-gated component downloads with Ed25519-signed manifests
Full Version History

This page shows the complete Flavor Hub changelog. As the Hub grows, older entries will be archived and only recent versions will be shown here.